Debian Bug report logs -
#901653
mruby: CVE-2018-12248
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, team@security.debian.org, Nobuhiro Iwamatsu <iwamatsu@debian.org>
:
Bug#901653
; Package src:mruby
.
(Sat, 16 Jun 2018 09:15:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>
:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, team@security.debian.org, Nobuhiro Iwamatsu <iwamatsu@debian.org>
.
(Sat, 16 Jun 2018 09:15:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: mruby
Version: 1.4.1-2
Severity: important
Tags: patch security upstream
Forwarded: https://github.com/mruby/mruby/issues/4038
Hi,
The following vulnerability was published for mruby.
CVE-2018-12248[0]:
| An issue was discovered in mruby 1.4.1. There is a heap-based buffer
| over-read associated with OP_ENTER because
| mrbgems/mruby-fiber/src/fiber.c does not extend the stack in cases of
| many arguments to fiber.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2018-12248
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12248
[1] https://github.com/mruby/mruby/issues/4038
[2] https://github.com/mruby/mruby/commit/778500563a9f7ceba996937dc886bd8cde29b42b
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
Added tag(s) fixed-upstream.
Request was from debian-bts-link@lists.debian.org
to control@bugs.debian.org
.
(Thu, 21 Jun 2018 17:30:11 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Nobuhiro Iwamatsu <iwamatsu@debian.org>
:
Bug#901653
; Package src:mruby
.
(Fri, 22 Jun 2018 04:12:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Nobuhiro Iwamatsu <iwamatsu@nigauri.org>
:
Extra info received and forwarded to list. Copy sent to Nobuhiro Iwamatsu <iwamatsu@debian.org>
.
(Fri, 22 Jun 2018 04:12:04 GMT) (full text, mbox, link).
Message #12 received at submit@bugs.debian.org (full text, mbox, reply):
Source: mruby
Version: 1.4.1+20180622+git640fca32-1
Hi,
This bug was fixed in 1.4.1+20180622+git640fca32-1.
Best regards,
Nobuhiro
2018-06-16 18:10 GMT+09:00 Salvatore Bonaccorso <carnil@debian.org>:
> Source: mruby
> Version: 1.4.1-2
> Severity: important
> Tags: patch security upstream
> Forwarded: https://github.com/mruby/mruby/issues/4038
>
> Hi,
>
> The following vulnerability was published for mruby.
>
> CVE-2018-12248[0]:
> | An issue was discovered in mruby 1.4.1. There is a heap-based buffer
> | over-read associated with OP_ENTER because
> | mrbgems/mruby-fiber/src/fiber.c does not extend the stack in cases of
> | many arguments to fiber.
>
> If you fix the vulnerability please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
>
> For further information see:
>
> [0] https://security-tracker.debian.org/tracker/CVE-2018-12248
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12248
> [1] https://github.com/mruby/mruby/issues/4038
> [2] https://github.com/mruby/mruby/commit/778500563a9f7ceba996937dc886bd8cde29b42b
>
> Please adjust the affected versions in the BTS as needed.
>
> Regards,
> Salvatore
--
Nobuhiro Iwamatsu
iwamatsu at {nigauri.org / debian.org}
GPG ID: 40AD1FA6
Reply sent
to Nobuhiro Iwamatsu <iwamatsu@nigauri.org>
:
You have taken responsibility.
(Fri, 22 Jun 2018 04:12:06 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>
:
Bug acknowledged by developer.
(Fri, 22 Jun 2018 04:12:06 GMT) (full text, mbox, link).
No longer marked as found in versions mruby/1.4.1+20180622+git640fca32-1.
Request was from Andreas Beckmann <anbe@debian.org>
to control@bugs.debian.org
.
(Fri, 22 Jun 2018 18:27:09 GMT) (full text, mbox, link).
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Sat, 21 Jul 2018 07:31:11 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 13:37:38 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.